The #1 Starbucks website (not run by Starbucks Corp.)

February 23, 2009

Starbucks employee in Chicago brings class-action lawsuit over lost laptop

Laura Krottner's suit accuses Starbucks of fraud and negligence. It says the company "failed to follow reasonable precautions to secure its employees' [personally identifiable information], failed to provide timely notice, and failed to protect employees from invasion of privacy, fraud, identity theft, and associated expenses." It adds that Krottner and the other employees must now spend "considerable time and money to protect themselves" from identity theft. || Read "Starbucks sued after laptop data breach"

Hey THE ASM... employees enter a fiscal (social security, etc...) confidentiality agreement with their gainful employer automatically in this country, look it up... this incident, though in all likelihood accidental, was a major breach of this agreement. The company chose the band aid of one year (!?) of online credit watching to solve the problem while several of its "valued" partners were having their identities and financial privacy violated. If any partner (in the stores i mean) made this kind of mistake they would be fired immediately... and you would too! Don't be so callous because of your company biases... if it happened to you you wouldn't mouth off in such a negligent manner.

A year of free credit monitoring and security is more than enough! If things last beyond that point, then maybe you have a case, but not until then! And, if you don't have any actual damages, you shouldn't be able to sue.

I'm not surprised at all that that laptop was stollen. On friday my district manager was doing some evealuation of the store(i didn't bother to ask but he checked EVERYTHING) and then went to check things in the back and talk to our manager. He was back there for atleast an hour and left his briefcase and laptop sitting at a table up front just waiting to be stolen.

I don't think they should sue though because there has been no reported damage (that i know of) and they did give us a full year of monitering services.

you see the problem with that is, this is the second letter i got. there is an issue within the company that was not resolved. maybe to you first timers, we should be peaches and cream, but to those of us it happened to twice.... maybe we feel a lawsuit is deserved. mistakes happen, sure, but when the same mistake happens twice, it's not an accident. it's laziness, avarice, poor accounting, whatever you want to call it. i hope i get the letter asking me to sign up for it.
i trusted this company with my personal information, and not only did they carelessly lose it one time.... they did it twice.
it isn't about the potential of theft for me, it's about the sanctity of trust between you and the company you work for, to hold on to the sensitive information you must provide for them.

From what I understand the earlier missing laptop may have never left the SSC and they weren’t sure what was on it so they erred on the side of caution and assumed worst case. I’ve never heard of any partners identities compromised as a result of that theft.

They are doing something about the problem. There’s a project under way right now to install whole disk encryption on all the company laptops so even if one is stolen the data is secure. It’s been rolled out to IT to gain feedback and will be going out company wide soon.

You can write all the policy you want but there’s really no way, technically, to enforce that policy in real-time. You can punish someone after the fact but that doesn’t do any of us any good. The best any company can do is assume all the laptops have personal data on them and secure the data from thieves.

whole disk encryption has been rolling group by group since the beginning of the year ... this laptop was stolen, out of a partner's home, a few weeks before the bux started to install government defense contractor level encryption on our laptops ...

I'm one of the potentially 97,000 partners affected by this and I don't blame the the bux for it. In all likelihood the thief broken in, entered the partner's home, grabbed some electronics and ebayed his loot. The laptop was probably wiped and is being used by someone who bought a cheapo laptop off ebay ...

a competent and tech savy burgler might think to look for some info to identity theft, but he'd need to be savy and patient enough to do a lil' hacking and digging ...

I'd say we're all more at risk of identity theft here on these forums anytime we click a link, whether it be posted by webmaster or someone's supposed email address or webpage

I got a letter from Starbucks too. I signed up for the free year, and went ahead and froze all my credit, and monitor all my accounrs. I'm being proactive. Not worth a lawsuit, quit whining. But I too, would like to make sure Starbucks puts out some kind of report about what they are doing to protect information.

My info was on a lost/stolen (I believe they said it was "misplaced") laptop a few years back. Starbucks really needs to take a look at procedures and protocol regarding handling of this type of information.

I wouldn't have a problem with the lap top theft and response if this was the first time it had ever happened. However, this has happened before with a stolen Laptop at the SSC. Back then we were offered a year of free credit monitoring (which, btw, you could not take advantage of if you were already monitoring your credit - which I was at the time as a responsibile consumer).

Nothing happened as a result of the theft that I know of, however back then - at least FOUR YEARS AGO - SBUX was clearly put on notice to ensure that it didn't happen again. If I remember correctly, they were goint ot "take steps to make sure partner information wasn't stored on laptops". Guess that didn't happen. So what else is new.

By the way, how much does it cost to offer free credit monitoring for a year to 97,000 partners? A fair chunk of change to be sure.

SBUX has had problems handling security issues many times in the past, and the same things seem to happen to them repeatedly. No one seems to learn from their mistakes. P&AP needs a wake up call.

Actually, I've been here long enough to know about the first letter, I too received it. So put that in you pipe and smoke it, quit complaining and go work for a company that is trust-worthy to you...Call me if u find one -I hear the unemployment office is hiring!

wow asm.... just wow. so as a person going to get his MBA, your fortune 500 company your going to run, if it should have any security issues with your personal information, not once but twice, you'd let it slide?

just make sure you let us all know the company you end up working for.

once is an accident, twice is careless, and to be faulted. now i'll put it out there in terms you can understand.... your responsible for the merchandise in your store, if someone walks out with the most basic espresso machine once, your in trouble, you'll probably get to keep your job... if it happens twice to you, well... probably not.

we are responsible for the stores and merchandise, the company is responsible for the information, that as law, we have to give to be employed. the company let not only alot of peoples information out at once, but did it twice.

and think about it.... if someone was knowledgable enough about starbucks who stole the laptop from the inside of the office... don't you think they'd know to not do anything with that information until the year is up? i mean they weren't caught yet, as far as i know, so therefore, they still work for the company, or probably still have contacts, or at the very least got a letter as well.

P&AP did get a wake up call two weeks ago when pretty much everyone got fired. Think that is going to help this from happening again? doubt it.

Also, no one has brought up the elephant in the room....Howard never apologized for any of this. Never. That is the height of arrogance. He doesn't care about the partners, thinks anything we lost collectively wouldn't add up to a fraction of what HE has lost in stock value over the last two years...why should he care? Howard turned his back on the 'partners' a long time ago. I understand working for a soul-less company, many people do it - but the hypocrisy from Howard is unreal.

There are a lot of things that are relevant before anyone passes judgement.
Namely how was the laptop lost, and who is responsible. Was it stolen out of the trunk of the car of an executive? Or maybe accidentally left behind when they were having lunch? Was it internal employee theft? Could it have never left SSC and simply been misplaced? (I'm willing to bet that it's a big building) Someone above said "If a person had a mind about them, they could walk out of this place with a few laptops... " Maybe an executive was traveling overseas and the laptop was lost like airport luggage.

i'm sooo glad i stopped my direct deposit right before this happened and won't be going back to it anytime soon.
i heard three dallas/ft worth stores got "howard" visits today! he didn't stop by mine though i'm not sure if i could have held my tougueif i did see him face to face. did anyone taste the new lemon tart? i found it good but lacking the lemon tang that a traditional lemon curd brings. i really wish if howard does read these ever then would you please bring back the apricot energy cookies. if you are working for nutrition then these gave customers the best true nutrients for a mid snack.

One of the questions that should be addressed is why a laptop was treated as though it were a secure platform. This has shown itself to be a problem not only at Starbucks but at other major companies and in government. People assume their laptop is secure since they have to enter a name and password to log on, they copy sensative and confidential information to it and take it out to a public place. This is tantamount to printing off SSNs and other sensitive information and putting it into a binder with a padlock on it. No one would think that was a good idea!

A second good question would be to ask why this person needed that information on a laptop. There really should not be any reason to remove this sort of information from secure data stores. There are many technologies available to allow this type of data to be stored securely and have secure remote access to it without it becoming compromised.

When an agent of a company acts in any capacity with regards to employees, products, property or information; they are viewed as acting on behalf of the company. This makes the company culpable for the actions of its employees. This is why there are policies against a barista speaking to the media etc.

Bottom line is, the only way companies learn is to be penalized. People would like to think things have changed since the days of sweat shops, but that is generally only because there are legal reasons keeping companies from behaving as they may have in the past. To this day companies try to get away with as much as they without stepping over that legal line. This lawsuit should not been seen just as some one trying to get rich off of Starbucks, but also a way to send a message that will be heard by Starbucks and other large companies to keep their employees information secure.

What I want to hear from those of you saying that credit monitoring of a year is enough, what would you do if you were a customer at Macy's who went shopping with your credit card? What if an employee took some data stored by Macy's and put it on a laptop to take it home and do some work. Let's say that information was your name, SSN, address, phone number, bank account numbers and for fun your credit card number. Now, that Macy's employee takes the laptop home but on the way stops at their local Starbucks to get a tall coffee. While they are in the store, some one breaks into the car and steals the laptop. Are you satisfied when Macy's offers you a year of free credit monitoring?

ASM- I never assumed anything. But now that you're taking MBA classes and maintaining your bias, can I assume you'll continue to be ignorant of ethical concerns from people within and outside of this company AND worker's rights despite a post graduate education? Tell us what company you plan to run as soon as you figure that out... I intend on not patronizing it. Furthermore, if this is the kind of unreasonable and unsympathetic attitude we get out of our own people in the stores, I suspect this company' reputation and profitability will never turn around. I hate to come out and be as brash as this... but Stan is right. Good grief what happened to this coffee chain?

BostonJoe, you are absolutely correct with your reasoning! A year of free credit monitoring does not make it okay for the company to be careless with all the infomation necessary for someone to steal your identity! Regardless of whether it is used or it is not used, it was completely preventable!

My info was also on that laptop so I took the free year of monitoring. It is a super restricted service unless you pay to upgrade. You get ONE credit report the day you sign up for it. Since then, I have gotten multiple notices letting me know that I've had inquiries on my credit (I can't see from who, and I haven't signed up for any new accounts or anything) and I have one account listed that I don't know where it is from and the balance keeps increasing. If someone IS using my info, like I suspect, I would like to be able to see what is being changed with my credit. Starbucks should have offered a more complete monitoring service so I don't have to be so on edge. And one year is absolutely not enough. Considering the sheer amount of partners affected, they should have offered up to 3 years for those who want it. Most damage is not instantaneous, but gradually over time. I think Starbucks handled this very poorly.

I wrote an email to corp seatle about our manager treating not only me but most of the partners with disrespect and not being about to manage the store correctly because we always run out of things EVERY day (like 3-5 things), not to mention she schedules us outside our availability and expects us to cover our shifts , even though it was the managers fault in the first place. When it finally went to the HR department at our startbucks in Phx, Arizona, the HR department just addressed the issue of the availability and ordering issue, and could give a *&$# about the manager disrespecting the partners there. So i guess it's starbucks policy to fix 2/3 of the issues brought up.....they basicly are trying to fix the money making part of the store and could give 2 cents about the way the manager treats their employees.

Credit monitoring to protect your identity? What a crock. It can barely even detect financial fraud: Experian actually admitted to the New York Times that their credit-monitoring products could not detect fraud cases in which a credit applicant used his/her own name, address and phone number with someone else's (i.e. YOU) Social Security number. Here’s the problem: 80 percent of identity fraud today is exactly what they admitted to not being able to detect. If one major Crdit reporting bureau can’t, why would the others be any different? This type of Identity Theft is called synthetic ID fraud or ID cloning. What the ID thieves do is steal only your SSN and through a variety of nefarious, but quite clever methods, create a brand new person. The problem for you is that the fraud usually won’t show up on credit reports because the only identifier that matches you is the SSN. And what if the fraud is not financial in nature?

if someone was knowledgable enough about starbucks who stole the laptop from the inside of the office... don't you think they'd know not to do anything with that information until the year is up?...what you think?